Update to use new secret naming scheme so we can have multiple keys

sign.sh

@@ -1,32 +1,37 @@
 #!/bin/bash
 set -euo pipefail
 
-if [[ "${1:-}" == "" ]]; then
-    echo "Usage: sign.sh FILE" >&2
+if [[ "${2:-}" == "" ]]; then
+    echo "Usage: sign.sh ARTIFACTTYPE FILE [FILE...]" >&2
+    echo "">&2
+    echo "Creates detached signature as FILE.sig." >&2
     exit 1
 fi
 
 
 tmpdir=$(mktemp -d)
 trap "shred $tmpdir/* && rm -rf $tmpdir" EXIT
 
-SECRET=CDK/SigningKey
+SECRET=CDK/$1/SigningKey
 
 # Use secrets manager to obtain the key and passphrase into a JSON file
-echo "Retrieving key..." >&2
+echo "Retrieving key $SECRET..." >&2
 aws --region us-east-1 secretsmanager get-secret-value --secret-id "$SECRET" --output text --query SecretString > $tmpdir/secret.txt
 passphrase=$(python -c "import json; print(json.load(file('$tmpdir/secret.txt'))['Passphrase'])")
 
 echo "Importing key..." >&2
 gpg --homedir $tmpdir --import <(python -c "import json; print(json.load(file('$tmpdir/secret.txt'))['PrivateKey'])")
 
-echo "Signing $1..." >&2
-echo $passphrase | gpg \
-    --homedir $tmpdir \
-    --local-user aws-cdk@amazon.com \
-    --batch --yes \
-    --passphrase-fd 0 \
-    --output $1.sig \
-    --detach-sign $1
+while [[ "${2:-}" != "" ]]; do
+    echo "Signing $2..." >&2
+    echo $passphrase | gpg \
+        --homedir $tmpdir \
+        --local-user aws-cdk@amazon.com \
+        --batch --yes \
+        --passphrase-fd 0 \
+        --output $2.sig \
+        --detach-sign $2
+    shift
+done
 
 echo "Done!" >&2